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ONDotnet.c om: .NET Serialization . Part 1 [Oct. 13. 2003] 

... serialization. In the next article, I will discuss how to serialize an object 

into an XML document. Binary Serialization. Consider ... 
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Serializing an Immutable Bean Property to XML (Java Developers 

... Create an object with an ... new FileOutputStreann("outfilenanne.xmr'))); Specify to ... class, 

new DefaultPersistenceDelegate(propertyNames); //Serialize the object ... 
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Fawcettexom - Seriatize Objects to XML in .NET 

... Let's look at a simple example of using serialization to persist an objects 

state to XML. This code shows a simple class and associated ... 
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... Using the objects contained in the System.XML.Serialization namespace, you can create 
a serialized configuration object that you can persist and de-persist to ... 
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XML.com: XMLS Object Persistence: Serialization Problems [Sep. 08 

... of serialized data) is taken care of by the XML parser ... So far we've seen how to serialize 

simple data types ... at Figure 1 you see not just one object, but several ... 
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Serialize an XML DOM Object to a File (Visual Basic) (MSXML 4.0 „, 
Serialize an XML DOM Object to a File (Visual Basic). You might often need to persist 
a DOM object so that you can reuse it later, or to save the XML object ... 

msdn.mlcrosolt.cofTi/hbrary/en us/ xmisdk/hti'n/dom_hdi_vb_2xyd.asp ■• 12k • Cached - Slnil^LS^^i^^^. 

Walkthrough: Persisting an Object in Visual Basic .NET (Visual „. 
... To persist the object using SOAP format: In ... module: Imports 
System.Runtime.Serialization.Formatters.Soap; ... references 
from "SavedLoan.bin" to "SavedLoan.xml" . ... 
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Guides 

... If you use binary serialization to persist an object, deserializing it will give 
you an exact copy. XML serialization, on the other hand, will only persist ... 
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... The. SerializeQ method makes use of the pluggable architecture we ... from System. 10. Stream, 
System.Xml.XmlWriter or ... deal of flexibility where to persist objects to ... 
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TopXML : Advanced XnnlSerializer (.NET Framework) 

... Using XML serialization will reduce the amount of code you have ... You no longer have 
to parse XML to initialize ... you have to develop code for objects to persist ... 
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Serializing Objects 



Reconstructing an object from a stream requires that the object first be written to a stream. So 
let's start there. 

How to Write to an ObjectOutputStream 

Writing objects to a stream is a straightforward process. For example, the following gets the 
current time in milliseconds by constructing a Date object and then serializes that object; 

FileOutputStream out = new FileOutputStream { " theTime" ) ; 
ObjectOutputStream s = new Ob j ectOutput Stream (out) ; 
s.writeObject ("Today") ; 
s. writeObject (new Date () ) ; 
s . flush ( ) ; 

ObjectOutputStream must be constructed on another stream. This code constructs an 
ObjectOutputStream on a FileOutputStream , thereby serializing the object to a file named 
theTime . Next, the string Today and a Date object are written to the stream with the 

writeObject method of Ob j ectOutput Stream . 

Thus, the writeObject method serializes the specified object, traverses its references to other 
objects recursively, and writes them all. In this way, relationships between objects are 
maintained. 

ObjectOutputStream implements the DataOutput interface that defines many methods for 
writing primitive data types, such as writeint , writeFioat , or writeUTF . You can use these 
methods to write primitive data types to an ObjectOutputStream . 

The writeObject method throws a NotSeriaiizabieException if it's given an object that is 
not serializable. An object is serializable only if its class implements the Serial izabie 
interface. 

Hov^ to Read from an ObjectlnputStream 

Once you've written objects and primitive data types to a stream, you'll likely want to read them 
out again and reconstruct the objects. This is also straightforward. Here's code that reads in the 
String and the Date objects that were written to the file named theTime in the previous 
example: 



FilelnputStream in = new FileInputStream( "theTime" ) ; 
ObjectlnputStream s = new ObjectlnputStream (in) ; 
String today = (String) s . readObject 0 ; 
Date date = (Date) s . readObject () ; 



1 of 2 



3/1/04 2:06 PM 



Serializing Objects httpy/javasuaconVdocs/books/tutorial/essential/io/serializing.hti^ 

Like objectoutputstream , Obj ectinputstream must be constructed on another stream. In 
this example, the objects were archived in a file, so the code constructs an 

Obj ectinputstream on a FilelnputStream . Next, the COde USes Obj ect Input Stream 's 

readObject method to read the string and the Date objects fi'om the file. The objects must 
be read fi*om the stream in the same order in which they were written. Note that the return 
value fi-om readObject is an object that is cast to and assigned to a specific type. 

The readobj ect method deserializes the next object in the stream and traverses its references 
to other objects recursively to deserialize all objects that are reachable fi*om it. In this way, it 
maintains the relationships between the objects. 

objectinputstream Stream implements the Datainput interface that defines methods for 
reading primitive data types. The methods in Datainput parallel those defined in Dataoutput 
for writing primitive data types. They include methods such as readint , readFioat , and 
readUTF . Use these methods to read primitive data types fi'om an objectinputstream . 
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Object Serialization 

Two streams in java.io-- Object InputStream and ObjectOutputStream ~ are 
run-of-the-mill byte streams and work like the other input and output streams. However, they 
are special in that they can read and write objects. 

^g'jg^tQimifegiaMQ^bjWt^to^FepFbs^ts^^ 
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QJ^Iejgtisemalization iS/Mgsse^^^ You can use 

object serialization in the following ways: 

• Remote Method Invocation (RMI)— communication between objects via sockets 



Note: The client and server programs in Putting It All Together use RMI to 
communicate. You can see object serialization used in that example to pass 
various objects back and forth between the client and server. 



♦ Lightweight persistence--theffar6hivalxof:anrobjecW 

You need to know about object serialization from two points of view. First, you need to know 
how to serialize objects by writing them to an ob j ectoutputstream and reading them in again 
using an object inputs tream . The next section, SerMizm^ shows you how. Second, 

you will want to know how to write a class so that its instances can be serialized. You can read 
how to do this in the section after that. Providing Object Serialization for Your Classes . 
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Providing Object Serialization for Your Classes 



An object is serializable only if its class implements the Seriaiizabie interface. Thus, if you 
want to serialize the instances of one of your classes, the class must implement the 
Serializable interface. The good news is that serializable is an empty interface. That is, it 
doesn't contain any method declarations; its purpose is simply to identify classes whose objects 
are serializable. 

Implementing the Serializable Interface 

Here's the complete definition of the Serializable interface: 



You don't have to write any methods. The serialization of instances of this class are handled by 
the defauitwriteObject method of obj ectoutputstream . This method automatically writes 
out everything required to reconstruct an instance of the class, including the following: 

• Class of the object 

• Class signature 

• Values of all non-tiransient: and non-static members, including members that refer to 
other objects 

You can deserialize any instance of the class with the def auitReadObj ect method in 

Object InputStream . 

For many classes, this default behavior is good enough. However, default serialization can be 
slow, and a class might want more explicit control over the serialization. 

Customizing Serialization 

You can customize serialization for your classes by providing two methods for it: 
writeobject and readobject . The writeobject method controls what information is saved 
and is typically used to append additional information to the stream. The readObject method 
either reads the information written by the corresponding writeobject method or can be used 
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package java.io; 

public interface Serializable { 



// there's nothing in here! 



Making instances of your classes serializable is easy. You just add the implements 
Serializable clause to your class declaration like this: 



public class MySerializableClass implements Serializable { 
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to update the state of the object after it has been restored. 

The writeObject method must be declared exactly as shown in the following example and 
should call the stream's defauitwriteobject as the first thing it does to perform default 
serialization. Any special arrangements can be handled afterwards: 

private void writeObj ect (Obj ectOutputStream s) throws lOException { 
s . def aultWriteOb j ect ( ) ; 
// customized serialization code 

} 

The readob j ect method must read in everything written by wri teob j ect in the same order in 
which it was written. Also, the readobject method can perform calculations or update the 
state of the object. Here's the readObject method that corresponds to the writeObject 
method just shown: 

private void readObject (Obj ect Input St ream s) throws lOException { 
s . def aultReadObj ect ( ) ; 
// customized deserialization code 

II followed hy code to update the object, if necessary 

} 

The readObject method must be declared exactly as shown. 

The writeObject and readObject methods are responsible for serializing only the immediate 
class. Any serialization required by the superclasses is handled automatically. However, a class 
that needs to explicitly coordinate with its superclasses to serialize itself can do so by 
implementing the Externaiizabie interface. 

Implementing the Externaiizabie Interface 

For complete, explicit control of the serialization process, a class must implement the 
Externaiizabie interface. For Externaiizabie objects, only the identity of the objects class 
is automatically saved by the stream. The class is responsible for writing and reading its 
contents, and it must coordinate with its superclasses to do so. 

Here's the complete definition of the Externaiizabie interface that extends Seriaiizabie : 
package java.io; 

public interface Externaiizabie extends Seriaiizabie { 

public void writeExternal (Obj ectOutput out) throws lOException; 
public void readExternal (Obj ect Input in) throws lOException, 

j ava . lang . ClassNotFoundException ; 

The following holds for an Externaiizabie class: 

• It must implement the java . io. Externaiizabie interface. 

• It must implement a writeExternal method to save the state of the object. Also, it must 
explicitly coordinate with its supertype to save its state. 

• It must implement a readExternal method to read the data written by the 
writeExternal method from the Stream and restore the state of the object. It must 
explicitly coordinate with the supertype to restore its state. 
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• If externally defined format is being written, the writeExternai and readExternai 
methods are solely responsible for that format. 

The writeExternai and readExternai methods are public and carry the risk that a client may 
be able to write or read information in the object other than by using its methods and fields. 
These methods must be used only when the information held by the object is not sensitive or 
when exposing that information would not present a security risk. 

Protecting Sensitive Information 

When developing a class that provides controlled access to resources, you must take care to 
protect sensitive information and functions. During deserialization, the private state of the 
object is restored. For example, a file descriptor contains a handle that provides access to an 
operating system resource. Being able to forge a file descriptor would allow some forms of 
illegal access, since restoring state is done fi*om a stream. Therefore the serializing runtime 
must take the conservative approach and not trust the stream to contain only valid 
representations of objects. To avoid compromising a class, you must provide either that the 
sensitive state of an object must not be restored fi-om the stream or that it must be reverified by 
the class. 

Several techniques are available to protect sensitive data in classes. The easiest is to mark fields 
that contain sensitive data as private transient . transient and static fields are not 
serialized or deserialized. Marking the field will prevent the state fi*om appearing in the stream 
and fi"om being restored during deserialization. Since writing and reading (of private fields) 
cannot be superseded outside of the class, the class's transient fields are safe. 

Particularly sensitive classes should not be serialized. To accomplish this, the object should not 
implement either the Serial izabie or Externaiizabie interface. 

Some classes may find it beneficial to allow writing and reading but to specifically handle and 
revalidate the state as it is deserialized. The class should implement writeobject and 
readobject methods to save and restore only the appropriate state. If access should be denied, 
throwing a NotSeriaiizabieException will prevent fiirther access. 
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